Pseudo-Review of “Zero Day” by Mark Russinovich and other stuff
I'm currently reading "Zero Day" by Mark Russinovich, and to sum things up: for the first time in a very very long time i'm actually considering abandoning the book before reaching the end. I'll try to explain here what i mean by this. Even though i have not reached the end, i can safely say that i can't recommend this book to anyone interested in a *solid* techno-thriller. But anyway, spoilers ahead.
I bought the book based on..what? Maybe a tweet? Maybe it was Amazon who recommended it to me or something. I'm not entirely sure. But i had just finished Bret Easton Ellis' latest book "Imperial Bedrooms" which was.. well rather bland as well, and i was looking for a good read.
Zero Day starts out fast, exciting, like a real techno-thriller. But very soon, the reader will become aware that the book is written with a very very specific audience in mind: A person who is male, young and unaware of the ways of "hackers" and computer crime. Reading this book i feel almost insulted at times. I could for instance not recommend this to anyone who is easily offended by the objectification (is that even a word?) of women. The book reads like something written by and/or for horny teenage boys. Almost every (it may even be every) female character in the book is portrayed in a flirtatious manner. Like all women are raucious perverts, just looking to be fucked. Almost every "scene" describing a female character, no matter how minor, includes descriptions of things like men oogling the woman's ass, breasts, how she looks, or she may talk in a flirtatious manner, proposing sex or just generally acting like sluts.
I thought it'd apply to just one or two characters, but this has to be a god damn joke, because i have never seen such horniness in any description of the IT industry. Where are all these big-breasted, ample-assed always-horny IT-expert women? I need to know, now.
Seriously.
Another annoying thing, that drives me mad, is the chapters where the protagonists are discussing on instant messenger, irc or whatever. The language is silly, and made up and not how people talk, anywhere! Christ! Do you have to put up a big sign saying "this is how hackers talk!!" by making the characters talk like fucking language-impared imbecilles? Sure, sometimes people talk in leet-speek, but this has become kind of an in-joke at this point. I've seen 14 year-olds express themselves quite clearly, and i find it very difficult to believe that 30-something IT-industry experts would sit in a chatroom writing sentences that lack most vowels or are otherwise compressed to the point of utter annoyance. It would actually take a concentrated effort to write like the characters in this book.
I have about 70 pages to go, and i'm so tired of these repeating themes. Oh and one can't forget the continuous references to 9/11 (that's September the 11th for people who write dates in a way that makes sense). I get that it's a central plot point, and Al Qaeda is the pseudo-boogey-man, and how arabs are evil and the towers fell and the planes hit and oh the humanity. I don't think it's a very effective plot point at this point anymore, but then again, i'm not a US citizen. I don't have the lifelong emotional scars.
This just.. doesn't work for me. I might recommend this to someone who is entirely outside this industry, this scene if you may. But under no circumstances would i recommend this to anyone who has spent more time in front of a computer, or who would like to read something about like cool cyber hackers (the word cyber also appears on nearly every page, which means, if you're playing the Pauldotcom drinking game, you'd be dead by page 100), about criminals and terrorists and Osama Dead Laden, and how horny the girls are in the IT industry (not). But if you for some reason wish to read about this stuff, by all means, pick it up. A casual reader looking for a sure-flowing thriller might enjoy this book. I'm not sure i can finish it, because i find it so insulting to my intellect. And i write this without even a hint of arrogance, trust me.
The other stuff
Another chapter of miscellania. Most of the stuff is now in boxes or bags. Keys will be picked up on Friday. We're on the waiting list to buy Assembly 2011 tickets (me and H, P, M and O, at least). The other people, well.. they don't seem too interested, as nobody has contacted anyone about tickets. But i guess that's for the better.
This will probably be my last year. It's a fitting end too. It's the 20th aniversary Assembly, and i'll get to show H what the fuzz is about. I also realize i've said this for the past three years. But you can't trust me!
We're rewatching Twin Peaks, and we just saw the episode with David Duchovny as Dennis, sorry, Denise. A brilliant episode, and a brilliant portrayal by Duchovny, keeping in mind that this was before The X-files started. Wonderful.
With B, we've discussed multi-dimensional objects, probabilities of intersection in finite and infinite spaces. Standard stuff.
Also wrapping up Mad Men Season 3, which is a great series to watch. Looking forward to the 4th season on DVD, whenever i can get that for a reasonable price. Also, Flash Forward, though i have only seen the first half of the series. The box is a bit pricey in Finland at the moment, so maybe i'll wait to get it. I'm not sure they showed the entire thing on TV, and considering the fact that i don't watch TV anymore (haven't watched more than an hour a week for the past two years), it's unlikely i'll see the remaining episodes there.
A distinct disinterest
What is it with the state of security that i'm seeing around me?
People are using weak passwords, or the same password for everything, and not only that. The people who are supposed to be responsible for security do not discourage or prohibit the use of such passwords. Hell, weak passwords are sometimes even encouraged. "Pick something that you'll remember for sure, as long as it has at least one capital letter". Then we end up with passwords like "Dog1234" and then when the obligatory tri-monthly change comes a-knocking, we get "Cat1234", because of poor user education and poor (or non-existant) complexity rules.
If we have something like full-disk encryption, chances are it's synchronized with windows, using a single sign-on. Or then it's a PIN code or something that's way too easy to guess or deduce.
Security is just simply abhorent everywhere i look. And i'm not sure how to start changing it. Other people are making the policies, i can only offer suggestions, and complement users on good choices (and i've seen some of those too!). I'm more for positive feedback, but sometimes i just want to scream. It's like nobody cares that a fucking VPN password only has single factor authentication, and the password is like December2009.
"But it has numbers and a capital letter in it!"
Inadvertent leakage of data
Abstract
Most people are either not aware, or blissfully ignorant that the data they carry, be it analog or digital, is significant or important to anyone in sense. If it's not a contract, or other clearly classified document or file, people just don't care. But for a social engineer, this speck of data could be all he needs to penetrate your corporate structure and network.
Data overload
How many gigabytes do you have on you right now? Well, i can list the following:
- 30GB iPod Video
- Laptop with a 40GB disk
- 8 GB memory stick
- 8 GB microSD card in my phone
- Caselogic full of CD's and DVD's, plus a 250 GB mobile hard drive
That's what i have on my person right now. Now, it should be noted, that the actual amount of data on these media is only a fraction of that, but as an example.
How about analog stuff? Most of us carry business-cards in their wallet (along with other cards, receipts, etc.). Some oldschool yahoos still have a bunch of papers in folders, binders and other assorted archiving methods, that they lug around town every day.
If you look at what you have, you could very quickly conclude that there isn't anything crucial that you have on you. No contracts, no lists of people's salaries or who's getting fired next. No passwords on small post-it notes (and some of you do that too...). So what could be compromised if you lost one of these items, huh? Not a lot? Think again.
One man's garbage is another man's...
...fucking treasure-trove. What could an adept social engineer do with a business-card? Well, he could assume your personality for purposes of calling someone, or even staging a meeting. The information contained on a simple business card, is usually: name, title, address, telephone numbers(s), e-mail address. Let's go through these and make up plausible scenarios for their usage.
If you're just out trolling for a random target, a business card with these data could be all you need. Based on this, you can do additional network searches, and find out more about you, the company or what you do. Maybe you have a blog, or maybe your calendar is openly viewable on Google Calendar. You're most certainly on facebook, and since you have a business card, you probably have an extensive "net-history" to begin with. All this is fuel for the flame of a social engineer. Using this data, they can get to friends, family, co-workers, ex-partners with a grudge, old school-buddies or teachers, etc. All ways of getting to the good stuff, of whatever data it is that the social engineer is looking for.
A telephone number will give you a lot of things. First, in certain cases, it can be used to deduce your mobile carrier. And through that, find out who your company deals with for telecommunications perhaps. Using that data, an attacker could assume your personality even better, because he knows something detailed about you. A good speaker could call up a secretary and with the proper words, get what they want, just because they know a little bit of "insider information". A landline number (for those of us who still use those things), could give you an extension number, or a system of extension numbers. That way, you could exploit the company switchboard, operator or even voicemail. It's unbelieavable, but in some cases, you can get to someone's internal voicemail just by knowing their extension, name, and the "internal" phone number to call. Some systems are open to the outside world, because people may need to get to their voicemail from their hotel, mobile phone, home, etc.
The e-mail address will give you the method of naming. Is it first.last@company.com, or something else. This again is information you can exploit, while calling someone within the company, or perhaps the service desk, pretending to be a lost user without a password.
Realizing value
This is the core problem. People don't view these things as risks. And neither do heads of corporations, or in the worst case, the security department (if you have one). How many buildings you work in actually have a method of making sure nobody unauthorized gets in to the office? How is physical security in general? How easy is tailgating?
I'll give you a hypothetical example. A door has a codepad, which requires a magnetic keyfob, and a four digit pin-code to get in. Now, even without these, getting in is childsplay. Just tailgate. At any one time, betwen two and five people walk in with the same opening. There's no reception desk at this door, but there is a camera. How often have you been confronted by someone asking you to show their ID? Not a single time. Most people don't even carry their ID's anywhere visible (which is a good thing on it's own). Get to the elevator. Someone else uses their keyfob to activate the keypad. They hit their floornumber, and you hit your number right after, and you won't need your own swipe to get to the floor you want. Get in to the actual offices without a key, again, tailgating. Pretend you're from another office or something, based on the information you have gotten from a business card you found, or the company website. In most cases, you won't be challenged. In most cases, people will open the door for you, and get you coffee if you're nice and personable.
There have been cases where a hacker, impersonating a service representative, or helpdesk person, has actually carried out hardware from the front-door, and even had help with doors.
One of the greatest fallacies of all time is that "people won't go through all that trouble to do that!". You'd be amazed at what people are willing to do.
Treat every bit of data you carry on yourself as important. If you don't, eventually someone smart enough is going to come along and exploit that. For fun, profit or something inbetween. Maybe just because he can.
And this is not even to mention what should be plainly obvious: Losing any bit of digital data might be really really bad. A hard disk might contain not only your files, but log-files that contain ip-adresses or in the worst case, passwords to internal or external systems. The next time you lose something, take it seriously. The next time someone asks you for something, be curious as to the reason of his inquiry. We already stream out copious amounts of data that used to be personal, using social networks such as Facebook, Friendster, Twitter, etc. Don't make it too easy for the badguys, huh?
The politics of DDOS-attacks
Twitter has today been the target of a rather crippling DDOS, which has left the site down for several hours, according to Pingdom and Netcraft.
I haven't seen any word as to the attacker, and that got me to wonder:
Is there politics involved in DDOSes? Twitter knows exactly who's been hitting their sites, they see the source ip:s. Sure, they might've gone through a bunch of zombies here and there, or a botnet or something, but i'm pretty sure they have an idea of what is going on. Can they tell us who it was?
Let's play with the idea that it was Iran, even governmental forces in Iran who wanted to show Twitter who is the king of the hill? Twitter was and has been instrumental in the dissemination of information from the botched elections in Iran not long ago. Twitter has been blocked in Iran by the government, but there are also other groups working to provide twitter to Iranians, through proxies and anonymizers. I'm not gonna get in to this issue now; the blocking of people from sites so they can't talk freely, that's an issue for a different post.
Instead i'm wondering whether Twitter can actually disclose the attackers, should they know them? Or does foreign policy or something else dictate how it's done? I mean, twitter delayed their service break at the request of the government, so that reporting from Iran could keep on going.
Who knows, but i'd be willing to bet at least someone is thinking about this issue. Can you publicly blame someone, if you are absolutely sure it was them? Or does it fall under the umbrella of politics?
Medeco – Hiding the truth since 1968
Ok, let's get the facts straight here. Medeco, a "high-security" lock manufacturer founded in 1968 tries to hide the fact that their "high-security" locks are not foolproof. Wikipedia has a page on Medeco, and when someone tries to add a section on the weaknesses found in their "high-security" locks, it gets removed. Also it appears the history page is wiped clean, as well as the discussion, since i can't find any of the edits (makes it harder to restore!), or any whine or gripe on the subject. There was one comment, but my feeling is that there have been much more.
Medeco locks are used in various high-security places, such as government organisations etc. The only problem is, the locks have a weakness which makes them not at all secure, since the security can be bypassed without breaking anything.
The method is known as bumping, and was invented sometime in the 1970's in Denmark. When you bump a lock, you use a specially crafted key that is inserted in to the lock, then "bumped" inwards, causing the driver pins to jump up past the shear-line, so you can turn the cylinder freely. The lock is not harmed, nor will any discernible marks be left on the lock.
Most (but probably not all) Medeco locks are susceptible to this technique, and are therefore, not high-security locks, and i recommend nobody do any business with them, until they correct and/or admit that they've been hiding the truth. I know it's hard guys... you've got a product that you know is flawed, and you've sold millions of them to like.. the government, and you don't want to get reamed. I get that. I don't enjoy getting reamed. But you gotta fess up when we are talking about a product that is supposed to provide security. People stake life and limb on these things.
If you want a lock that is bump-proof, and also, comes from my country of Finland, get an Abloy Disc Tumbler lock, which are very common here. They are not bumpable, and take a considerable amount of time and expertise to pick, requiring special tools and skill. Unlike medeco locks which take a filed piece of metal, and in some cases a screwdriver. Whoo!
Some sources here:
Wiki - Disc Tumbler Locks
Wiki - Lock Bumping
Wiki - Medeco
Medeco Bumping at Defcon In this link, an 11 year old bumps a Medeco M3 High-security lock. On this page from 2006, they say their locks are virtually bump-proof. Virtually.
Hell, they even host courses on what lock bumping and the risk it presents..
A word on legality: The posession of lockpicks or other tools that can be used to gain unlawful access, with criminal intent, to the property owned by someone other than you is a crime punishable by a fine in Finland.
I am not a lawyer, so don't listen to me, but that would mean that you could have these tools for your personal practice. Lockpicking is a hobby in many countries (haven't heard much of it in Finland), and why couldn't it be? Picking a lock could be a useful skill in an emergency, when someone is locked inside a dangerous area, or if you are there yourself. Or just as a general hobby. I mean shooting can also be a hobby...
Here is the law:
28 luku, 12 a § (24.5.2002/400)
Murtovälineen hallussapito
Joka ilman hyväksyttävää syytä pitää hallussaan sellaista avainta toisen lukkoon taikka tiirikkaa tai muuta välinettä, jota voidaan perustellusti epäillä pääasiassa käytettävän tunkeutumiseen toisen hallinnassa olevaan suljettuun tilaan rikoksen tekemistä varten, on tuomittava murtovälineen hallussapidosta sakkoon.
This means, if you for instance, carry some tools that can be used to pick locks, in a public area, without a reasonable reason, you can be fined. This means, if you are not coming or going to a lock-picking event/hobby club etc.
A good site on this whole hobby, is can be found here, at the "Haittalevy" blog.